VIRSPEC.TXT - Special information regarding unique viruses AntiVirus Lab, SYMANTEC/Peter Norton Product Group December 2, 1994 ****************************************************************** This text file contains information about viruses that cause unique problems and require special handling. One Half Virus =========== The One Half virus is a multipartite virus that exhibits both stealth and polymorphic behavior. In addition to infecting files and master boot records, the One Half virus will encrypt data on your hard disk. To date, the One Half virus has been detected in parts of Europe, specifically Russia and other Eastern bloc countries. The virus was also detected in a U.S. government agency. Starting November 1, 1994 the virus definitions file includes a definition for detecting this virus. If Norton AntiVirus finds the One Half virus on your computer, please contact Technical Support department for instructions on how to remove the virus. Please do not attempt to repair the virus without talking to Technical Support first. **************************************************************** WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate the master boot record or use inoculation technology to repair the virus and DO NOT attempt to repair your hard disk using Norton Disk Doctor or any other disk repair utility. **************************************************************** Viking.Dec3 =========== The Viking.Dec3 virus alters EXE files in such a way that NAV is not able to completely repair it. However, we felt it was more important to give you 99% of the pie than 50%. NAV will repair the COM files flawlessly. In order to complete the EXE repair, we need your involvement. As a result, we recommend that you replace files from backups where you can. And where you can't, apply the following procedure. If you need help with this repair, we encourage you to call our Technical Support. After an EXE file is repaired by NAV, one must take the following additional steps. Lines prefixed by the "greater than" sign represent lines to be typed at the DOS prompt. Lines prefixed by a dash are typed while running debug. >rename filename.exe filename.bad >debug filename.bad -d 100 l 4 Verify that the first byte is E9 and the fourth byte is C0. If yes, proceed. If no, quit (q) from debug. -e 100 4d 5a ff 1 -w -q >rename filename.bad filename.exe